[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20071022122205.8A3F.SHAUN@shaunc.com>
Date: Mon, 22 Oct 2007 12:28:41 -0500
From: Shaun <shaun@...unc.com>
To: James Lay <jlay@...ve-tothe-box.net>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Spike in SSH scans
I saw an unusually high volume of scans between 2200 and 0000 last night
on my residential connection. They all made their initial probe using
'mysql' as the user. On average it looks like each of them made around
15 attempts, which is fairly low, and points to a scanner smart enough
to recognize that it's been firewalled out.
So far, nothing out of the ordinary at work or on dedicated servers.
Maybe it's only targeting consumer connections? FWIW, my residential IP
is in 75.65/16.
-s
On Sun, 21 Oct 2007 21:20:38 -0600
James Lay <jlay@...ve-tothe-box.net> wrote:
> Anyone else seeing these? Started about 3 hours ago..hereĀ¹s a snipit:
>
> 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH
> Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc
> activity] [Priority: 3]: {TCP} 203.173.40.167:21823 -> 192.168.0.2:22
>
> And a current list of hits in the last 3 hours:
>
> 124.39.168.43
> 129.13.250.46
> 145.253.128.85
> 148.245.157.217
> 149.99.20.238
> 161.106.180.173
> 193.158.0.195
> 194.25.114.106
> 195.113.185.38
> 195.138.155.54
> 195.228.238.186
> 195.56.72.157
> 195.73.54.73
> 200.126.111.38
> 200.62.177.91
> 200.79.37.194
> 201.16.17.246
> 201.216.245.25
> 201.245.109.170
> 211.139.69.28
> 212.101.30.8
> 212.202.248.130
> 212.248.23.6
> 213.136.105.130
> 213.156.69.126
> 213.186.47.65
> 213.255.77.62
> 213.35.211.206
> 213.66.184.110
> 213.84.74.76
> 216.193.233.168
> 217.110.171.150
> 217.113.71.130
> 217.151.68.244
> 217.156.103.234
> 217.160.19.157
> 217.71.214.191
> 218.207.69.8
> 218.249.108.166
> 60.12.130.117
> 62.105.180.178
> 62.112.158.141
> 62.218.215.134
> 62.65.142.213
> 62.76.246.253
> 64.81.228.200
> 66.236.209.227
> 67.118.242.129
> 67.132.173.150
> 70.107.224.252
> 70.151.62.113
> 72.248.139.227
> 77.104.241.141
> 80.200.249.230
> 80.201.241.44
> 80.33.222.48
> 80.51.139.82
> 80.55.142.66
> 81.180.88.6
> 81.68.198.23
> 81.75.124.51
> 82.103.102.12
> 82.141.44.153
> 82.239.231.89
> 83.15.246.226
> 83.151.18.189
> 83.19.34.46
> 83.227.183.88
> 83.236.170.54
> 83.246.96.38
> 83.246.96.54
> 83.65.141.94
> 85.114.130.199
> 85.120.129.130
> 85.17.10.106
> 85.214.54.182
> 85.48.224.186
> 87.127.193.225
> 88.32.56.1
> 89.110.147.183
> 89.171.12.78
> 91.192.189.19
>
> James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists